aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/render_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fix flaky test ActionControllerBaseRenderTest#test_direct_render_to_stringFumiaki MATSUSHIMA2019-07-261-4/+20
|
* Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-131-1/+0
| | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* Always reject files external to appJohn Hawthorn2019-04-031-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when using `render file:`, it was possible to render files not only at an absolute path or relative to the current directory, but relative to ANY view paths. This was probably done for absolutely maximum compatibility when addressing CVE-2016-0752, but I think is unlikely to be used in practice. Tihs commit removes the ability to `render file:` with a path relative to a non-fallback view path. Make FallbackResolver.new private To ensure nobody is making FallbackResolvers other than "/" and "". Make reject_files_external_... no-op for fallbacks Because there are only two values used for path: "" and "/", and File.join("", "") == File.join("/", "") == "/", this method was only testing that the absolute paths started at "/" (which of course all do). This commit doesn't change any behaviour, but it makes it explicit that the FallbackFileSystemResolver works this way. Remove outside_app_allowed argument Deprecate find_all_anywhere This is now equivalent to find_all Remove outside_app argument Deprecate find_file for find Both LookupContext#find_file and PathSet#find_file are now equivalent to their respective #find methods.
* Introduce Template::File as new render file:John Hawthorn2019-03-271-2/+2
| | | | | | | | | | | | | | | | | | | | | | | The previous behaviour of render file: was essentially the same as render template:, except that templates can be specified as an absolute path on the filesystem. This makes sense for historic reasons, but now render file: is almost exclusively used to render raw files (not .erb) like public/404.html. In addition to complicating the code in template/resolver.rb, I think the current behaviour is surprising to developers. This commit deprecates the existing "lookup a template from anywhere" behaviour and replaces it with "render this file exactly as it is on disk". Handlers will no longer be used (it will render the same as if the :raw handler was used), but formats (.html, .xml, etc) will still be detected (and will default to :plain). The existing render file: behaviour was the path through which Rails apps were vulnerable in the recent CVE-2019-5418. Although the vulnerability has been patched in a fully backwards-compatible way, I think it's a strong hint that we should drop the existing previously-vulnerable behaviour if it isn't a benefit to developers.
* Allow using combine the Cache-Control `public` and `no-cache` headersyuuji.yaginuma2019-01-071-0/+10
| | | | | | | | | | | | | | | | | Since #30367, if `no-cache` includes Cache-Control headers, special keys like `public`, `must-revalidate` are ignored. But in my understanding, `public` still need in case of want to cache authenticated pages. The authenticated pages to be cacheable, but still authenticated for every user, need to specify the `Cache-Control: public, no-cache`. For keys other than `public`, I did not know the case where it was necessary to use it in combination with `no-cache`, so I fixed that can be used only for `public`. Ref: https://www.mnot.net/cache_docs/#CACHE-CONTROL Fixes #34780.
* Merge pull request #28937 from maclover7/jm-fix-28927Rafael França2018-07-311-0/+14
|\ | | | | Default content type for `head` is `text/html`
| * Default content type for `head` is `text/html`Jon Moss2017-04-301-0/+14
| | | | | | | | Otherwise Mime::NullType will be returned as the `Content-Type` header.
* | Add support for more HTTP cache controlsDaniel Schierbeck2018-06-131-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From <https://tools.ietf.org/html/rfc5861>: > The stale-if-error HTTP Cache-Control extension allows a cache to > return a stale response when an error -- e.g., a 500 Internal Server > Error, a network segment, or DNS failure -- is encountered, rather > than returning a "hard" error. This improves availability. > > The stale-while-revalidate HTTP Cache-Control extension allows a > cache to immediately return a stale response while it revalidates it > in the background, thereby hiding latency (both in the network and on > the server) from clients. These are useful, fully standardized parts of the HTTP protocol with widespread support among CDN vendors. Supporting them will make it easier to utilize reverse proxies and CDNs from Rails.
* | Create MissingExactTemplate exception with separate templateVinicius Stock2018-04-201-1/+1
| |
* | Use assert_predicate and assert_not_predicateDaniel Colson2018-01-251-15/+15
| |
* | Introduced `ActiveSupport::Digest` that allows to specify hash function ↵Dmitri Dolguikh2017-12-121-1/+1
| | | | | | | | | | | | | | | | implementation and defaults to `Digest::MD5`. Replaced calls to `::Digest::MD5.hexdigest` with calls to `ActiveSupport::Digest.hexdigest`.
* | Merge pull request #30367 from ptoomey3/consistent-cache-control-headersAaron Patterson2017-09-051-0/+21
|\ \ | | | | | | Normalize/process Cache-Control headers consistently
| * | Use equality in place of refute assertions for accuracyPatrick Toomey2017-08-221-4/+2
| | |
| * | Normalize/process Cach-Control headers consistentlyPatrick Toomey2017-08-221-0/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the existing logic, the `Cache-Control` header may or may not get normalized by additional logic depending on whether `response.cache_conrol` has been modified. This leads to inconsistent behavior, since sometimes `Cache-Control` can contain whatever a user sets and sometimes it gets normalized, based on the logic inside of `set_conditional_cache_control!`. It seems like this normalization process should happen regardless to ensure consistent behavior.
* | | Fix `can't modify frozen String` error in AC::RenderingKoichi ITO2017-09-021-0/+12
|/ /
* | Use frozen string literal in actionpack/Kir Shatrov2017-07-291-0/+2
| |
* | Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | | | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* | Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
| |
* | Define path with __dir__bogdanvlviv2017-05-231-6/+6
|/ | | | | | ".. with __dir__ we can restore order in the Universe." - by @fxn Related to 5b8738c2df003a96f0e490c43559747618d10f5f
* make `render` work with AC::Paramsyuuji.yaginuma2017-01-151-1/+0
| | | | | | | | In 4.2, since AC::Params inherited `Hash`, processing in the case of `Hash` was done. But in 5.x, since AC::Params does not inherit `Hash`, need to add care for AC::Params. Related to 00285e7cf75c96553719072a27c27e4ab7d25b40
* Add more rubocop rules about whitespacesRafael Mendonça França2016-10-291-1/+1
|
* Remove deprecated support to :nothing in renderRafael Mendonça França2016-10-091-10/+0
|
* Remove deprecated support for status option in headRafael Mendonça França2016-10-091-21/+0
|
* improve error message when include assertions failMichael Grosser2016-09-161-1/+1
| | | | | | assert [1, 3].includes?(2) fails with unhelpful "Asserting failed" message assert_includes [1, 3], 2 fails with "Expected [1, 3] to include 2" which makes it easier to debug and more obvious what went wrong
* fixes remaining RuboCop issues [Vipul A M, Xavier Noria]Xavier Noria2016-09-011-1/+1
|
* Add three new rubocop rulesRafael Mendonça França2016-08-161-1/+1
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* applies remaining conventions across the projectXavier Noria2016-08-061-6/+6
|
* modernizes hash syntax in actionpackXavier Noria2016-08-061-24/+24
|
* applies new string literal convention in actionpack/testXavier Noria2016-08-061-59/+59
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Fix adding implicitly rendered namespaced template digests to ETagsJavan Makhmali2016-07-131-10/+44
|
* Fix adding implicitly rendered template digests to ETagsJavan Makhmali2016-06-281-10/+35
| | | | Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
* render_to_string Regression Outside of Real Requests in Rails 5.0.0.rc1 (#25308)Brandon Medenwald2016-06-091-0/+7
| | | | | | * Restore the functionality of PR#14129, but do so with not nil to better indicate the purpose of the conditional * Add a test when render_to_string called on ActionController::Base.new()
* Strong ETag validatorsJeremy Daer2016-03-311-15/+43
| | | | | | | | | | | | | | | | | | * Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag. Strong ETags are desirable when you're serving byte-for-byte identical responses that support Range requests, like PDFs or videos (typically done by reproxying the response from a backend storage service). Also desirable when fronted by some CDNs that support strong ETags only, like Akamai. * No longer strips quotes (`"`) from ETag values before comparing them. Quotes are significant, part of the ETag. A quoted ETag and an unquoted one are not the same entity. * Support `If-None-Match: *`. Rarely useful for GET requests; meant to provide some optimistic concurrency control for PUT requests.
* Remove http_cache_forever's version parameterJean Boussier2016-03-051-9/+1
|
* Deprecate :controller and :action path parametersAndrew White2016-03-011-1/+4
| | | | | | | | Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
* Lock down new `ImplicitRender` behavior for 5.0 RCGodfrey Chan2016-02-251-2/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Conceptually revert #20276 The feature was implemented for the `responders` gem. In the end, they did not need that feature, and have found a better fix (see plataformatec/responders#131). `ImplicitRender` is the place where Rails specifies our default policies for the case where the user did not explicitly tell us what to render, essentially describing a set of heuristics. If the gem (or the user) knows exactly what they want, they could just perform the correct `render` to avoid falling through to here, as `responders` did (the user called `respond_with`). Reverting the patch allows us to avoid exploding the complexity and defining “the fallback for a fallback” policies. 2. `respond_to` and templates are considered exhaustive enumerations If the user specified a list of formats/variants in a `respond_to` block, anything that is not explicitly included should result in an `UnknownFormat` error (which is then caught upstream to mean “406 Not Acceptable” by default). This is already how it works before this commit. Same goes for templates – if the user defined a set of templates (usually in the file system), that set is now considered exhaustive, which means that “missing” templates are considered `UnknownFormat` errors (406). 3. To keep API endpoints simple, the implicit render behavior for actions with no templates defined at all (regardless of formats, locales, variants, etc) are defaulted to “204 No Content”. This is a strictly narrower version of the feature landed in #19036 and #19377. 4. To avoid confusion when interacting in the browser, these actions will raise an `UnknownFormat` error for “interactive” requests instead. (The precise definition of “interactive” requests might change – the spirit here is to give helpful messages and avoid confusions.) Closes #20666, #23062, #23077, #23564 [Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]
* Fix master buildJon Moss2016-02-181-1/+1
|
* remove unused variable from render testyuuji.yaginuma2016-01-301-1/+1
| | | | | | | | This removes the following warning. ``` rails/actionpack/test/controller/render_test.rb:278: warning: assigned but unused variable - response ```
* Run `file.close` before unlinking for traviseileencodes2016-01-281-1/+2
| | | | | | | | | | | This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
* Regression test for rendering file from absolute patheileencodes2016-01-281-0/+11
| | | | | | Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
* doc typoAkira Matsuda2016-01-271-2/+2
| | | | [ci skip]
* add a skip for failing testAaron Patterson2016-01-261-1/+2
|
* fix permitted? conditional for `render` callsAaron Patterson2016-01-261-0/+11
|
* clear view path cache between testsAaron Patterson2016-01-261-0/+5
| | | | | | | | The cache for `render file:` seems to also be used in the case of `render(string)`. If one is supposed to be a hit and the other is supposed to be a miss, and they both reference the same file, then the cache could return incorrect values. This commit clears the cache between runs so that we get non-cached behavior.
* Merge branch '5-0-beta-sec'Aaron Patterson2016-01-251-0/+31
|\ | | | | | | | | | | | | | | | | | | | | * 5-0-beta-sec: bumping version fix version update task to deal with .beta1.1 Eliminate instance level writers for class accessors allow :file to be outside rails root, but anything else must be inside the rails view directory Don't short-circuit reject_if proc stop caching mime types globally use secure string comparisons for basic auth username / password
| * allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-221-0/+31
| | | | | | | | | | | | rails view directory CVE-2016-0752
* | Response etags to always be weak: Prefixed W/ to value returned by ↵abhishek2016-01-201-1/+1
|/ | | | ActionDispatch::Http::Cache::Response#etag= such that etags set in fresh_when and stale? are weak. For #17556.
* Change Integer#year to return a Fixnum instead of a Float to improve consistencyKonstantinos Rousis2015-10-221-2/+2
|
* remove RackDelegation moduleAaron Patterson2015-08-261-2/+0
| | | | | | Since all controller instances are required to have a request and response object, RackDelegation is no longer needed (we always have to delegate to the response)
* Get rid of mocha tests - part 1Marcin Olichwirowicz2015-08-241-4/+4
|